-1

I'm creating a simple contact system with admin page. Admin can delete messages. I use <form> tag and submit button to send them to action file but no rows will be deleted.

<?php
while ($row = mysqli_fetch_array($result)) {

    $adminmsgn = $row['name'];
    $adminmsge = $row['email'];
    $adminmsgm = $row['msg'];
    echo("
      <form name='actions' action='delete.php' method='post'>
    <tr>
      <td style='color: white'>$adminmsgn</td>
      <td style='color: white'>$adminmsge</td>
      <td style='color: white'>$adminmsgm</td>
      <td style='color: white'><input style='text-decoration: none;color: white' class='linkButton' type='submit' value='Delete'></td></form>
    </tr>
    ");
}
?>

delete.php:

<?php include("connection.php");
mysqli_query($link, "DELETE FROM `msg` WHERE `name` = '$adminmsgn' AND `email`= '$adminmsge' AND `msg`= '$adminmsgm'");
header("Location: http://localhost:8080/contact/admincp.php");
?>
Rahul
  • 18,271
  • 7
  • 41
  • 60
Sepehr
  • 1
  • 1
  • I'm just doing this as an exercise to find my basic problems first. – Sepehr Jun 02 '19 at 16:42
  • [How to enable MySQLi exception mode?](https://stackoverflow.com/questions/22662488/how-to-get-mysqli-error-information-in-different-environments/22662582#22662582) – Dharman Jun 02 '19 at 16:43
  • Consider whether you really want to 'DELETE' data (i.e. make it irretrievable), as opposed to simply marking it as hidden – Strawberry Jun 02 '19 at 16:53
  • indentation and grammar changes – Rahul Jun 03 '19 at 09:33

1 Answers1

1

Your form needs the input values, probably hidden or something. Your form could look like this

while($row = mysqli_fetch_array($result)){

    $adminmsgn=$row['name'];
    $adminmsge=$row['email'];
    $adminmsgm=$row['msg'];
    echo("
      <form name='actions' action='delete.php' method='post'>

      <input type='hidden' name='adminmsgn' value='$adminmsgn' >
      <input type='hidden' name='adminmsge' value='$adminmsge' >
      <input type='hidden' name='adminmsgm' value='$adminmsgm' >

    <tr>
      <td style='color: white'>$adminmsgn</td>
      <td style='color: white'>$adminmsge</td>
      <td style='color: white'>$adminmsgm</td>
      <td style='color: white'><input style='text-decoration: none;color: white' class='linkButton' type='submit' value='Delete'></td></form>
    </tr>
    ");
}

In your delete.php simply add get the variables from $_POST or $_REQUEST. And it is true you are open to SQL injection; therefore, try use mysql_real_escape_string on all the post variables. Your code should now look like this

<?php 
    include("connection.php");

    $adminmsgn = mysql_real_escape_string($_POST['adminmsgn']);
    $adminmsge = mysql_real_escape_string($_POST['adminmsge']);
    $adminmsgm = mysql_real_escape_string($_POST['adminmsgm']);

    mysqli_query($link,"DELETE FROM `msg` WHERE `name` = '$adminmsgn' AND `email`= '$adminmsge' AND `msg`= '$adminmsgm'");
        header("Location: http://localhost:8080/contact/admincp.php");
        ?>

Not tested but it should sure work

user4468920
  • 11
  • 4